Return-Path: <sentto-279987-1467-995985326-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 24 Jul 2001 07:36:08 -0700 (PDT)
Received: (qmail 1066 invoked by uid 510); 24 Jul 2001 13:38:03 -0000
Received: from n23.groups.yahoo.com (216.115.96.73) by 204.181.12.215 with SMTP; 24 Jul 2001 13:38:03 -0000
X-eGroups-Return: sentto-279987-1467-995985326-fc=all.net@returns.onelist.com
Received: from [10.1.4.56] by ck.egroups.com with NNFMP; 24 Jul 2001 14:35:26 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 24 Jul 2001 14:35:25 -0000
Received: (qmail 49197 invoked from network); 24 Jul 2001 13:51:07 -0000
Received: from unknown (10.1.10.26) by l10.egroups.com with QMQP; 24 Jul 2001 13:51:07 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 24 Jul 2001 13:51:07 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id GAA11701 for iwar@yahoogroups.com; Tue, 24 Jul 2001 06:51:07 -0700
Message-Id: <200107241351.GAA11701@big.all.net>
To: iwar@yahoogroups.com
In-Reply-To: <FMEBKCCNDNLCDGCDNJAOGEGHCAAA.jsforza@isrisk.net> from "John Sforza" at Jul 24, 2001 08:24:59 AM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 24 Jul 2001 06:51:07 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] 21 club
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Per the message sent by John Sforza:
> > > e.r. says:
> > >" Most of its members are without a clue on IWAR and cyber-terrorism, and
> > >the firm which they ran have all been victums[sic] of cybers attacks
> > > already."
> > Jim Says
> > ..and your justification for this opinion is...? What substantiates the idea
> > "21 CEOs" are worse then what currently exists?
> John Says:
> Among those individuals with enough 'name' to be taken seriously by private
> and government entities, who hasn't had an experience with some form of
> cyber attack. As to 'clue' these individual's need to lead the process - not
> fight in the trenches and that requires vision. Perhaps a new set of
> viewpoints would be productive. On the other hand I am reminded of the poem
> 'The Blind Men and the Elephant' by John Godfrey Saxe (with credit of course
> to it's Indian origin), it will be very difficult (Fred, how about a
> probability model of group consensus here) if not impossible to define and
> drive an effective cyber security policy with out a dominant leader and I am
> not sure that Condoleezza Rice can provide that among other
> responsibilities. I also have reservations regarding an 'all Federal' group,
> let's let everybody play. Bottom line - 21 individuals in a room is either a
> cocktail party or an unlawful assembly.
Fred Says:
[2^(i pi) / 17^23] /273.44323 = nothing of value.
As far as I recall, the ideal size for a group in order to be effective
is on the order of 4-7 - one of the reasons we choose groups of this
size for most projects (or chunk the projects in to this many subgroups
- recursively). A manager can supposedly manage 20 people effectively -
so Condo should be able to handle that part of it.
Without these agencies represented you are unlikely to have the
concensus you need to get things to work in the government anyway, but
that isn't really the issue at all and never has been. They were all
consulted (for certain) by Mr. Clark. The issue is whether Ms. Rice
can effectively deal with this issue at this level while also dealing
with the many other issues she has to deal with. She could presumable
manage 20 people if that was all she was doing - but it's not. The
question is whether the US needs a single, full-time top-level manager
in charge of this issue. Bush thinks not.
My experience and the history of the last many years has shown that
companies and organizations that do not have a high quality top level
person in charge of this function tend to have poorly coordinated
programs and tend to be less efficient, less effective, and more
susceptible to high consequence incidents. For effective organizations
this spreads down the organizational structure recursively so that
something like 5% of the IT effort is oriented toward information
protection. In other workds, if the US government had a CIO, 1 of the
20 people reporting to them should be a top-level full-time information
protection manager. This should hold for every other level of
management and staff involved in using computers to do their jobs.
So if there were 40 million federal employee hours per week spent using
computers, there should be 2 million employee hours per week spent in
information protection. This figure includes systems and network
administration tasks as well as 'computer security' tasks - which can
not realistically be separated.
Just my view.
FC
--
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
Fred Cohen - Practitioner in Residence - The University of New Haven
This communication is confidential to the parties it is intended to serve.
PGP keys: https://all.net/pgpkeys.html - Have a great day!!!
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide "Securing Your Web Site for Business." Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094442340008000
http://us.click.yahoo.com/6lIgYB/IWxCAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:37 PDT